Abstract
Recently, attribute-based access control (ABAC) has received increasingly more attention and has emerged as the desired access control mechanism for many organizations because of its flexibility and scalability for authorization management, as well as its security policies, such as separation-of-duty constraints and mutually exclusive constraints. Policy-engineering technology is an effective approach for the construction of ABAC systems. However, most conventional methods lack interpretability, and their constructing processes are complex. Furthermore, they do not consider the separation-of-duty constraints. To address these issues in ABAC, this paper proposes a novel method called policy engineering optimization with visual representation and separation of duty constraints (PEO_VR&SOD). First, to enhance interpretability while mining a minimal set of rules, we use the visual technique with Hamming distance to reduce the policy mining scale and present a policy mining algorithm. Second, to verify whether the separation of duty constraints can be satisfied in a constructed policy engineering system, we use the method of SAT-based model counting to reduce the constraints and construct mutually exclusive constraints to implicitly enforce the given separation of duty constraints. The experiments demonstrate the efficiency and effectiveness of the proposed method and show encouraging results.
Highlights
With the rapid development and comprehensive application of network information technology, there is a large amount of storage required and many exchanges in large-scale and complex information-management systems [1]
To improve the efficiency of the mining process, Gautam et al [18] regarded the number of attributes included in any rule as a weight and presented a constrained policy mining algorithm in attribute-based access control (ABAC) that constructed a set of authorization rules from an access control matrix, such that the weight of each rule was less than a specified value, and the sum of the total weights of the rules was minimized
Besides the basic components of ABAC, the other components involved in traditional ABAC policy mining [20] can be presented as follows: (1) A represents a set of all possible authorizations that occur in an ABAC system
Summary
With the rapid development and comprehensive application of network information technology, there is a large amount of storage required and many exchanges in large-scale and complex information-management systems [1]. Similar to role engineering in RBAC, there are two main approaches for constructing policy-engineering systems: top-down [6] and bottom-up [7,8,9] For the former, rules are specified by precisely evaluating and splitting the business processes into smaller independent units that are associated with access permissions. This approach can ignore the existing access modes in the organization and is time-consuming, labor-intensive, and error prone. Das et al [11] considered that the policy-engineering problem in ABAC and the role-engineering problem in RBAC are similar and important for the construction of the corresponding access control models and presented a detailed survey of the two techniques.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have